Systems and Methods for Use in Computer Network Security

US 20190327085A1
Filed: 04/20/2018
Published: 10/24/2019
Est. Priority Date: 04/20/2018
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for use in managing data across a network based on multiple keys assigned to different participants in association with the data, the method comprising:

identifying, by an originating party, a relying party;

identifying data relevant to at least one interaction between the originating party and the relying party, the data including identifying data specific to the originating party;

encrypting, by a computing device, the data based on a secret;

generating, by a computing device, a key set based on the secret, the key set having at least three keys and structured such that the secret is derivable from at least two of the at least three keys;

disseminating, by the computing device, a first key of the key set and the encrypted data to a control party; and

disseminating, by the computing device, a second key of the key set to the relying party, whereby the relying party is permitted to submit a request to the control party, including the second key, and whereby the control party is permitted to decrypt the encrypted data disseminated to the control party, using the first and second keys, in order to respond to the request from the relying party.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided for managing data across a network based on multiple keys assigned to different participants in association with the data. One exemplary method includes identifying, by an originating party, a relying party, identifying data relevant to at least one interaction between the originating party and the relying party, and encrypting the data based on a secret. The method also includes generating a key set based on the secret, where the key set has at least three keys and is structured such that the secret is derivable from at least two of the at least three keys, and disseminating a first key of the key set and the encrypted data to a control party and disseminating a second key of the key set to the relying party.

6 Citations

19 Claims

1. A computer-implemented method for use in managing data across a network based on multiple keys assigned to different participants in association with the data, the method comprising:
- identifying, by an originating party, a relying party;
  
  identifying data relevant to at least one interaction between the originating party and the relying party, the data including identifying data specific to the originating party;
  
  encrypting, by a computing device, the data based on a secret;
  
  generating, by a computing device, a key set based on the secret, the key set having at least three keys and structured such that the secret is derivable from at least two of the at least three keys;
  
  disseminating, by the computing device, a first key of the key set and the encrypted data to a control party; and
  
  disseminating, by the computing device, a second key of the key set to the relying party, whereby the relying party is permitted to submit a request to the control party, including the second key, and whereby the control party is permitted to decrypt the encrypted data disseminated to the control party, using the first and second keys, in order to respond to the request from the relying party.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, wherein generating the key set includes generating the key set based on the secret and a Shamir secret sharing algorithm.
  - 3. The computer-implemented method of claim 2, further comprising generating a token and associating the token with the key set, prior to disseminating the first key and the second key;
    - andwherein disseminating the first key an the encrypted data to the control party includes disseminating the first key, the encrypted data, and the token to the control party; and
      
      wherein disseminating the second key to the relying party includes disseminating the second key and the token to the relying party.
  - 4. The computer-implemented method of claim 2, wherein the identifying data includes a government ID number associated with the originating party;
    - andwherein the request includes a request for a credit score.
  - 5. The computer-implemented method of claim 1, further comprising:
    - receiving the request from the relying party, the request including the second key of the key set;
      
      retrieving, by a second computing device associated with the control party, the first key from memory associated with the second computing device;
      
      deriving, by the second computing device, the secret from the first and second keys; and
      
      decrypting, by the second computing device, the encrypted data disseminated to the control party based on the derived secret.
  - 6. The computer-implemented method of claim 5, further comprising transmitting, by the second computing device, a reply to the relying party in response to the request, the reply based on the encrypted data as decrypted by the second computing device but not including the actual encrypted data.
  - 7. The computer-implemented method of claim 1, further comprising:
    - storing a third key of the key set in memory of the computing device; and
      
      transmitting, by the computing device, a request to the control party to modify and/or confirm the encrypted data disseminated to the control party, the request including the third key, whereby the control party is permitted to decrypt the encrypted data using the first and third keys in order to modify and/or confirm the encrypted data based on the request from the originating party.
  - 8. The computer-implemented method of claim 1, further comprising generating, by the computing device, the secret prior to encrypting the data based on the secret.

9. A system for use in managing data across a network based on multiple keys assigned to different participants in association with the data, the system comprising an originating party computing device having a memory and a processor coupled to the memory, the processor configured, by executable instructions stored in the memory of the originating party computing device, to:
- receive, from an originating party, an indication of a relying party in connection with an identification interaction of the originating party to the relying party;
  
  encrypt data based on a secret, the data including identifying data specific to the originating party;
  
  generate a key set based on the secret and store the key set in the memory, the key set having at least three keys and structured such that the secret is derivable from at least two of the at least three keys;
  
  generate a token associated with the originating party, the encrypted data and/or the key set;
  
  disseminate the token, a first key of the key set, and the encrypted data to a control party; and
  
  disseminate the token and a second key of the key set to the relying party, whereby the relying party is permitted to submit a request to the control party, including the token and the second key, and whereby the control party is permitted to identify the first key based on the token and decrypt the encrypted data disseminated to the control party, using the first and second keys, in order to respond to the request from the relying party.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The system of claim 9, where in the processor of the originating party computing device is further configured, by the executable instructions, to generate the secret prior to encrypting the data based on the secret.
  - 11. The system of claim 10, wherein the processor of the originating party computing device is configured, by the executable instructions, in connection with generating the key set, to generate the key set based on the secret and a Shamir secret sharing algorithm.
  - 12. The system of claim 9, wherein the processor of the originating party computing device is further configured, by the executable instructions, to store a third key of the key set in the memory of the originating party computing device.
  - 13. The system of claim 12, further comprising a control party computing device associated with the control party, the control party computing device having a memory and a processor coupled to the memory, the processor of the control party computing device configured, by executable instructions stored in the memory of the control party computing device, to:
    - receive the request from the relying party, the request including the second key of the key set;
      
      retrieve, from the memory of the control party computing device, the first key disseminated to the control party by the processor of the processor of the originating party computing device;
      
      derive the secret from the first and second keys; and
      
      decrypt the encrypted data based on the derived secret; and
      
      transmit a reply to the request to the relying party, the reply including decrypted data and/or data accessible based on the decrypted data.
  - 14. The system of claim 13, wherein the request includes at least one of a name, address, phone number and birthdate of the originating party;
    - andwherein the control party computing device is configured to verify the identity of the originating party based on the decrypted data and the at least one of the name, address, phone number and birthdate of the originating party, prior to transmitting the reply to the request to the relying party.
  - 15. The system of claim 14, wherein the reply transmitted to the relying party includes at least some of the encrypted data but does not include all of the encrypted data.
  - 16. The system of claim 13, wherein the processor of the originating party computing device is further configured, by the executable instructions stored in the memory of the originating party computing device, to transmit a request to the control party to modify and/or confirm the encrypted data disseminated to the control party, the request including the third key.
  - 17. The system of claim 16, wherein the processor of the control party computing device is further configured, by the executable instructions stored in the memory of the control party computing device, to decrypt the encrypted data using the first and third keys and to modify and/or confirm the encrypted data based on the request from the processor of the originating party computing device.

18. A non-transitory computer-readable storage media including executable instructions for use in managing data across a network based on multiple keys assigned to different participants in association with the data, which, when executed by at least one processor, cause the at least one processor to:
- identify a relying party;
  
  encrypt data based on a secret, the data including identifying data specific to the originating party;
  
  generate a key set based on the secret and a Shamir secret sharing algorithm, the key set having N keys and structured such that the secret is derivable from at least N−
  
  1 of the N keys, where N is an integer greater than 2;
  
  disseminate a first key of the key set and the encrypted data to a control party; and
  
  disseminate a second key of the key set to the relying party, whereby the relying party is permitted to submit a request associated with the data to the control party, including the second key, and whereby the control party is permitted to decrypt the encrypted data disseminated to the control party, by use of the first and second keys, in order to decrypt the encrypted data and to respond to the request from the relying party.
- View Dependent Claims (19)
- - 19. The non-transitory computer-readable storage media of claim 18, wherein the executable instructions, when executed by the at least one processor, further cause the at least one processor to:
    - generate a token and associate the token with the key set, prior to disseminating the first key and the second key;
      
      disseminate the token along with the first key and the encrypted data to the control party; and
      
      disseminate the token along with the second key to the relying party.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Mastercard International Incorporated (MasterCard Incorporated)
Original Assignee
Mastercard International Incorporated (MasterCard Incorporated)
Inventors
Patel, Keyur

Granted Patent

US 10,771,245 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6209   to a single file or object,...

G06F 21/6245   Protecting personal data, e...

H04L 2209/42   Anonymization, e.g. involvi...

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 63/12   Applying verification of th...

H04L 9/085   Secret sharing or secret sp...

H04L 9/0861   Generation of secret inform...

H04L 9/088   Usage controlling of secret...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3239   involving non-keyed hash fu...

H04L 9/50   using hash chains, e.g. blo...

H04W 12/02   Protecting privacy or anony...

H04W 12/0471   Key exchange

Systems and Methods for Use in Computer Network Security

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

6 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and Methods for Use in Computer Network Security

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

6 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links